Palo Alto Networks has warned that a recently discovered medium-severity security flaw affecting PAN-OS and Prisma Access is being actively exploited.
Vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that can be used by bad actors to establish a VPN connection.
“Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks’ PAN-OS® software could allow an attacker to bypass security restrictions and establish an unauthorized VPN connection,” Palo Alto Networks said in an advisory issued May 13, 2026.
The network security company said the issue specifically affects GlobalProtect portal or gateway configured firewalls when authentication override cookies are enabled and a specific certificate configuration is present.
In an update to its advisory dated May 29, 2026, Palo Alto Networks said it had become aware of “limited exploitation attempts on unpatched PAN-OS devices without any mitigations implemented.
The development comes after Rapid7 revealed that it had identified a successful exploit across multiple customers, with the initial attempts occurring on May 17, 2026, followed by a second wave on May 21. Both exploit sets are believed to be the work of the same threat actor.
The activity observed in the second wave involved VPN IP assignment followed by cookie authentication in two cases, which gave the attacker access to the internal network. The cybersecurity vendor said there was no follow-up activity in the customer environment where the VPN session was established.
“Authentication bypass in edge facing enterprise VPN appliances can have a significant impact on affected organizations,” Rapid7 said. “Thus, organizations running affected devices are urged to upgrade to vendor-supplied patches on an immediate basis.”
As a temporary mitigation, it is recommended to either disable the authentication override feature or generate a new certificate to be used exclusively for the authentication override feature.
The CVE-2026-0257 exploit follows a report from Arctic Wolf about the continued weaponization of a critical, now-patched security flaw affecting FortiClient Endpoint Management Server (EMS) deployments (CVE-2026-35616, CVSS score: 9.1) to distribute credential-stealing malware called EKZ InfoStealer Is.
